CYBER RISK CONSULTING. Smartphone Security Issues

Similar documents
Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Custom Connect. All Area Networks. customer s guide to how it works version 1.0

GPRS security. Helsinki University of Technology S Security of Communication Protocols

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

BlackBerry PlayBook Security: Part two BlackBerry Bridge

A network is two or more computers, or other electronic devices, connected together so that they can exchange data.

Chapter 9. Firewalls

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

An Agency Under MOSTI SECURITY ASSURANCE. Securing Our Cyberspace. Copyright 2008 CyberSecurity Malaysia

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

Blackjacking. Daniel Hoffman. Security Threats to BlackBerry Devices, PDAs, and Cell Phones in the Enterprise. Wiley Publishing, Inc.

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Information System Security. Nguyen Ho Minh Duc, M.Sc

CoreMax Consulting s Cyber Security Roadmap

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

IP Mobility vs. Session Mobility

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

Advanced Diploma on Information Security

Security+ SY0-501 Study Guide Table of Contents

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Simple and Secure Micro-Segmentation for Internet of Things (IoT)

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

G/On OS Security Model

Security SSID Selection: Broadcast SSID:

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003


OCR GCSE (9-1) Computer Science J276 Accompanying Instructional Document

CyberP3i Course Module Series


Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

GCSE Computer Science for OCR Overview Scheme of Work

Networking Basics. Crystal Printer Network Installation Guidelines

Security. Reliability

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

COMPUTER NETWORK SECURITY

OCR J276 (9-1) GCSE Computer Science

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

SEPARATING WORK AND PERSONAL

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

ASERCOM cyber-security guideline for connected HVAC/R equipment

whitepaper ClickShare Security

Mobile Devices prioritize User Experience

Standard For IIUM Wireless Networking

PMS 138 C Moto Black spine width spine width 100% 100%

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Security Concerns in Automotive Systems. James Martin

KASPERSKY ANTI-MALWARE PROTECTION SYSTEM BE READY FOR WHAT S NEXT. Kaspersky Open Space Security

Wireless Security Access Policy and Agreement

Now? Ron LaPedis, CISSP-ISSAP, ISSMP, MBCP, MBCI SPYRUS, Inc. Michael F. Angelo, CSA NetIQ Corporation

1100 Dexter Avenue N Seattle, WA NetMotion Mobility Architecture A Look Under the Hood

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Chapter 4. Network Security. Part I

COPYRIGHTED MATERIAL. Index

Why Firewalls? Firewall Characteristics

5. Execute the attack and obtain unauthorized access to the system.

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

HikCentral V.1.1.x for Windows Hardening Guide

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Secure Mobility Challenges. Fat APs, Decentralized Risk. Physical Access. Business Requirements

Autumn 1 Autumn 2 Spring 1 Spring 2 Summer 1 Summer 2. networks. environmental concerns. Knowledge and skills covered: Knowledge and skills covered:

Part 1. Lecturer: Prof. Mohamed Bettaz Coordinator: Prof. Mohamed Bettaz Internal Examiner: Dr. Mourad Maouche. Examination Paper

BYOD: BRING YOUR OWN DEVICE.

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Network Control, Con t

CYBERSECURITY RISK LOWERING CHECKLIST

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Cyber Security Guidelines for Public Wi-Fi Networks

IPSec. Overview. Overview. Levente Buttyán

Learn How to Configure EnGenius Wi-Fi Products for Popular Applications

THE ESSENTIAL GUIDE TO CYBER SECURITY FOR OFFSITE EVENTS

Computer Network Vulnerabilities

Identify the features of network and client operating systems (Windows, NetWare, Linux, Mac OS)

Old, New, Borrowed, Blue: A Perspective on the Evolution of Mobile Platform Security Architectures

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Requirements for IT Infrastructure

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Securing Access to Network Devices

User Guide IP Connect GPRS Wireless Maingate

Wireless LAN Security (RM12/2002)

Wireless a CPE User Manual

Chapter 8. Network Troubleshooting. Part II

CHAPTER 03: MULTIMEDIA & OPERATING SYSTEM. :: Operating System :: ~ What is OS?~ ~ OS Functions~ ~ OS Characteristics ~ ~ Type of OS~

Chapter 11: Networks

Remote Desktop Security for the SMB

Cyber Criminal Methods & Prevention Techniques. By

HASTINGS HIGH SCHOOL

MOBILE COMPUTING Unit V

NETWORK SECURITY. Ch. 3: Network Attacks

THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Industrial Control System Security white paper

Mobile Security Fall 2013

USER MANUAL. VIA IT Deployment Guide for Firmware 2.3 MODEL: P/N: Rev 7.

FILE TRANSFER PROFILE

Networking interview questions

Personal Cybersecurity

Demonstration of Remote Wireless Access to a Database for Communicating Water Quality Data

Transcription:

CYBER RISK CONSULTING Blackhat Briefings Europe 2004 Smartphone Security Issues May 2004 Luc DELPHA Maliha RASHID

1. Introduction Why smartphones? Functionalities Operating Systems Supported Connectivity Wireless Networks Summary 2. Risks Inherent nature of smartphones Bluetooth GPRS Java applications 3. Challenges Legal Issues Security policy A secure framework Perspectives 4. Conclusion 2

1. Introduction Why smartphones? Functionalities Operating Systems Supported Connectivity Wireless Networks Summary 2. Risks Inherent nature of smartphones Bluetooth GPRS Java applications 3. Challenges Legal Issues Security policy A secure framework Perspectives 4. Conclusion 3

1.Introduction Why smartphones? Why smartphones? Same functionalities as traditional PDAs More connectivity GPRS : Always on Bluetooth Mainstream availability Gadget Appeal General tendancy to become more popular than PDAs Highly personal interaction 4

1. Introduction Functionalities Telephone : GSM / GPRS (in Europe) Camera PIM Data (Personal Information Management) Contacts Calendar Tasks Synchronization Email client (POP3, IMAP) Web browsing Java Applications File exchange (vcard,, photos ) via IrDA or Bluetooth Multi-player games with Bluetooth (N-Gage) 5

1. Introduction Operating systems Symbian OS, Palm OS, Windows Mobile, Linux Symbian OS version 8.0 6

1. Introduction Supported Connectivity GPRS : General Packet Radio Service Wi-Fi : for PDAs Symbian 0S 8 supports Wifi Bluetooth IrDA 7

1. Introduction Bluetooth Core specification more than a thousand pages Profiles : Synchronization - Service Discovery - Generic Object Exchange Profile 8

1. Introduction GPRS GPRS : Extension of GSM IP Backbone Main Elements : GGSN & SGSN Firewall between the GGSN and external data networks SGSN GPRS GPRS IP IP Backbone Backbone GGSN Firewall External External Data Data Networks Networks Internet Internet 9

1. Introduction Why smartphones? Functionalities Operating Systems Supported Connectivity Wireless Networks Summary 2. Risks Inherent nature of smartphones Bluetooth GPRS Java applications 3. Challenges Legal Issues Security policy A secure framework Perspectives 4. Conclusion 10

2. Risks Inherent nature of smartphones Dedicated operating systems Bugs Implementation errors Security holes MIDP 2.0 implementation issues on the Nokia 6600 Windows based devices Access Control PIN Code In most cases no native authentication for data stored on the device With physical access to the device anyone can access the data (flash chipsets or removable memory cards) Device can easily be destroyed 11

2. Risks The users Smartphone used to store confidential data Corporate Diary, Email,, Data Personal Diary, Email,, Data Risk of loss or theft because the device is not physically contained Synchronization with the information system PIM Data Email Attachments Difficult to control If the smartphone is compromised, the information system is exposed Back to corporate data... Understanding the user with the ebay example 12

2. Risks Wireless networks - Bluetooth Bluetooth security implementation in smartphones restrained to : non discoverable mode pairing mechanism Non discoverable mode can be bypassed Redfang Btscanner Brute forcing the last six bytes of the MAC Address and calling a read_remote remote_name() Ways to force the pairing The Bluejacking craze «U ve been bluejacked» in place of Bluetooth device name Send to surrounding Bluetooth devices Watch surprised expression Harmless but the message can prompt to pair If pairing succeeds, bluejacker gets access to files on the victim s device 13

2. Risks Wireless networks - Bluetooth Vulnerabilities in Bluetooth implementations Nokia Bluetooth enabled phones vulnerable CAN-2004 2004-01430143 Buffer overflow provoked by mal-formed OBEX message Persistence of trust relationship even after the device has been removed from list of paired devices Bluetooth is a complex protocol Interoperability of devices is a priority Specification is deliberately not explicit on implementation details Implementation errors are bound to happen Increasing the risk of security holes 14

2. Risks Wireless Networks - GPRS GPRS security depends on measures taken by operator to secure the GGSN If the GGSN is compromised, the GPRS network is exposed Possible GPRS Attacks : Firewall NAT : reserving all the ports Flooding the GPRS connection with TCP traffic from the Internet Multiple PDP Contexts supported in Symbian 0S v 8.0 Simultaneous private and public contexts Private context can be attacked by public context! Same as having a PC connected to the LAN and the Internet via a modem at the same time 15

2. Risks Java Applications MIDlet : Java stand-alone alone application for mobile devices MIDP : Mobile Information Device Profile MIDP 1.0 Limited possibilities : Sandbox means limited access to the device Limited security : No security manager, limited bytecode verification, security packages discarded due to performance issues, no support for HTTPS connexions MIDP 2.0 Concept of trusted MIDlet : If the MIDlet is trusted, access to PIM, Messaging, Bluetooth APIs amongst others The user can decide whether or not to trust the MIDlet Can the user be trusted to do this? Third party malicious MIDlet can access information on the device and send it to a remote server, posing as an «innocent» application Game that prompts to connect to the Internet to put the highscores on a website 16 16

1. Introduction Why smartphones? Functionalities Operating Systems Supported Connectivity Wireless Networks Summary 2. Risks Inherent nature of smartphones Bluetooth GPRS Java applications 3. Challenges Legal Issues Security policy A secure framework Perspectives 4. Conclusion 17

3. Challenges Legal Issues Given the risks, the use of these devices by employees needs to be supervised Forbidding use Unrealistic Impossible to control and enforce Same dilemma as allowing personal use of the Internet at work Privacy issues in France and most of Europe Even if the device belongs to the employee, responsibility belongs to the company to secure the data In case of disaster the ebay worst case scenario Company responsible 18

3. Challenges Security policy Inform employees of risks Clearly define interaction between smartphones and information system Clearly define harmless and harmful actions Clearly define what the smartphone infrastructure can and can t do Define the limits of existing technologies 19

3. Challenges A secure framework Treat the smartphone like a laptop Centralized administration Mutual authentication between devices and servers End to end encryption : VPN IPSec Harden the smartphone Logon authentication Encrypt the data Antivirus Personal Firewall 20

3. Challenges Perspectives Smartphone security model is complex because : Implicates a variety of actors : Manufacturors Operators Smartphone designers Software designers Protocol designers Administrators Policy makers Last but not least : Users Goals of these actors may conflict Coordination is difficult Legislation may be required 21

1. Introduction Why smartphones? Functionalities Operating Systems Supported Connectivity Wireless Networks Summary 2. Risks Inherent nature of smartphones Bluetooth GPRS Java applications 3. Challenges Legal Issues Security policy A secure framework Perspectives 4. Conclusion 22

4. Conclusion Smartphone design, architecture and associated network protocols are complex Door open to : Implementation errors Structural Weaknesses Growing interest in GPRS and Bluetooth Attacks simple to implement To counter these risks : Communicate with users on the risks Anticipate on incorporating these devices as part of the information system Create a suitable environment in which theses devices can be used 23

Questions / Answers 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback